Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

home-assistant: add allowlist_external_dirs to systemd unit ReadWritePaths #104268

Merged
merged 1 commit into from Nov 28, 2020
Merged

home-assistant: add allowlist_external_dirs to systemd unit ReadWritePaths #104268

merged 1 commit into from Nov 28, 2020

Conversation

mvnetbiz
Copy link
Contributor

Motivation for this change

Home Assistant has configuration setting allowlist_external_dirs to grant access to a directory (save security camera footage, etc.), but the service unit file has ProtectSystem enabled, blocking access to this. If the configuration is managed through NixOS, the paths are automatically added, and since the option is declared as a list now you can add paths manually in other cases through systemd.services.home-assistant.serviceConfig.ReadWritePaths = [ ... ];

Things done

modified nixos/modules/services/misc/home-assistant.nix to add specified paths in
services.home-assistant.config.homeassistant.allowlist_external_dirs to the systemd service's ReadWritePaths.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@zowoq
Copy link
Contributor

zowoq commented Nov 19, 2020

@ofborg eval

mweinelt
mweinelt approved these changes Nov 28, 2020
View reviewed changes
Copy link
Member

@mweinelt mweinelt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, that LGTM.

The aarch64 issue is probably due to test flakyness. 0.118.0 is working alright over here.

@mweinelt mweinelt merged commit 62ef710 into NixOS:master Nov 28, 2020
@mvnetbiz mvnetbiz deleted the ha-allowpaths branch November 28, 2020 23:26
@mvnetbiz
Copy link
Contributor Author

I noticed test flakyness on my own server too some times. Sometimes a second nixos-rebuild is needed then it works fine. I think there is some kind of race in the home assistant integration tests

@mvnetbiz
Copy link
Contributor Author

Not the nixos tests but the pytests

@mweinelt
Copy link
Member

Yeah, I've reported some of them upstream, but the general message I receive is, that if they work in their CI they don't really want to invest time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mweinelt mweinelt mweinelt approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mvnetbiz @zowoq @mweinelt